PKI Server Restore

From Dogtag
Jump to: navigation, search


This page describes the process to restore a PKI server instance from a backup.

Current Limitations

Currently this procedure has some limitations:

  • The backup should be restored on a machine with the same hostname since the hostname of the original server is stored in various server files and database entries.
  • The backup should be restored on a machine with the same PKI version since the server files and database might have changed in different versions.

In the future it might be possible to restore the instance on a machine with a different hostname and also migrate it to a newer version.

Restoring LDAP Database

First, create a DS instance:

$ --silent -- \
        General.FullMachineName=$HOSTNAME \
        General.SuiteSpotUserID=nobody \
        General.SuiteSpotGroup=nobody \
        slapd.ServerPort=389 \
        slapd.ServerIdentifier=localhost \
        slapd.Suffix=dc=example,dc=com \
        "slapd.RootDN=cn=Directory Manager" \

Create a backend database for each subsystem:

$ ldapadd -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: cn=ca,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: nsBackendInstance
objectClass: extensibleObject
cn: ca
nsslapd-suffix: dc=ca,dc=pki,dc=example,dc=com

Also create a mapping entry for each backend database:

$ ldapadd -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: cn=dc\3Dca\2Cdc\3Dpki\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: dc=ca,dc=pki,dc=example,dc=com
nsslapd-backend: ca
nsslapd-state: backend

Import PKI schema:

$ ldapmodify -x -D "cn=Directory Manager" -w Secret.123 -f /usr/share/pki/server/conf/schema.ldif

Update database configuration:

$ ldapmodify -x -D "cn=Directory Manager" -w Secret.123 -f /usr/share/pki/server/conf/database.ldif

Stop the instance:

$ systemctl stop dirsrv@localhost.service

Import the main database with the following command:

$ ldif2db -V -Z localhost -n userRoot -i $PWD/userRoot.ldif

Import each subsystem database with the following command:

$ ldif2db -V -Z localhost -n ca -i $PWD/ca.ldif

Restart the instance:

$ systemctl start dirsrv@localhost.service

Verify with the following commands:

$ ldapsearch -x -D "cn=Directory Manager" -w Secret.123 -b "dc=pki,dc=example,dc=com"
$ ldapsearch -x -D "cn=Directory Manager" -w Secret.123 -b "dc=ca,dc=pki,dc=example,dc=com"

Restoring Server Files

To restore the server files:

$ tar xzvf pki-tomcat.tar.gz -C /

Then restart the server:

$ pki-server start

See Also